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1. Introduction 

The security of all public key cryptosystems depends on assumptions about the hardness 
of certain mathematical problems. These assumptions are unproven, making public key 
cryptography vulnerable to advances in cryptanalysis. In 1994, Peter Shor made such 
an advance by developing an efficient algorithm for prime factorization and discrete 
logarithms pQ. Shor's algorithm breaks the most common public key cryptosystems 
but requires a moderately powerful quantum computer, which fortunately does not yet 
exist. 

Given the importance of public key cryptography to the internet and electronic 
commerce, it is desirable that a practical information-theoretic secure replacement be 
developed and implemented well before public key cryptosystems become vulnerable 
to quantum computers or other attacks [21 E]. Quantum key distribution (QKD), 
first developed by Bennett and Brassard [I], provides a partial solution when coupled 
with one-time pad (OTP) encryption. QKD relies on the uncertainty principle of 
quantum mechanics to provide information-theoretic security against eavesdropping, 
but unfortunately QKD requires authenticated classical channels to prevent man- 
in-the-middle (MITM) attacks. Information-theoretic secure protocols exist for the 
authentication of classical channels EJ [7J, but such protocols require a shared 
secret key; this requirement is difficult for mutual strangers to satisfy. We refer 
to the requirement of authenticated channels as the stranger authentication problem; 
QKD must overcome this problem to become a feasible, secure alternative to today's 
cryptographically-secure public key systems. 

We propose a solution to the stranger authentication problem by encoding an 
authentication key into multiple shares [HIS]. These shares are transmitted via multiple 
paths through a QKD network in which some nodes already share secret keys. Our 
approach prevents MITM attacks with high probability, even if the attacker controls a 
large, randomly-selected subset of all the nodes. As authenticated QKD in combination 
with OTP provides information-theoretic security pLOJ, we describe the level of security of 
our protocol as probabilistic information-theoretic. By this, we mean that the security of 
our protocol is stochastic; with very high probability, the protocol provides information- 
theoretic security and with some very small probability 5, it fails in such a way as to allow 
a sufficiently powerful adversary to perform undetected MITM attacks. The security 
parameter 5 can be made arbitrarily small by modest increases in resource usage. 

2. Adversary and Network Model 

It is convenient to model networks with properties similar to those described above by 
using undirected graphs, where each vertex represents a node or party participating in 
the network and each edge represents an authenticated public channel. Such a channel 
could be provided by using a shared secret key for authentication, or by any other means 
providing information-theoretic security. We also assume that all parties in the network 
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are connected to all other parties by unauthenticated channels that allow both classical 
and quantum information. 

This last point can be restated as the assumption that the network of 
(unauthenticated) quantum channels is the complete graph. In the case of a 
geographically large QKD network using present-day technology, distance limitations of 
point-to-point QKD links would make this assumption challenging to satisfy, although 
protocols have been proposed to address this problem under certain circumstances [TTj 
[12]. In the long term, we believe quantum repeaters [13] will overcome QKD's distance 
limitations. 

2.1. Adversarial capabilities 

We consider an adversary, which we will call the sneaky supercomputer [llj: 

(i) The adversary is computationally unbounded. 

(ii) The adversary can listen to, intercept, and alter any message on any public channel. 

(iii) The adversary can compromise a randomly-selected subset of the nodes in the 
network. Compromised nodes are assumed to be under the complete control of 
the adversary. The total fraction of compromised nodes is limited to (1 — t) or 
less. 

This adversary would be at least as powerful as one with a quantum computer. It 
can successfully perform MITM attacks against public key cryptosystems (using the 
first capability) and against unauthenticated QKD (using the second capability) but 
not against a QKD link between two uncompromised nodes that share a secret key for 
authentication (since quantum mechanics allows the eavesdropping to be detected) [10] • 
The adversary can always perform denial-of-service (DOS) attacks by simply destroying 
all transmitted information; since DOS attacks cannot be prevented in this adversarial 
scenario, we concern ourselves only with security against MITM attacks and do not 
consider robustness against DOS attacks further. 

The third capability in this adversarial model, namely the adversary's control of 
a random subset of nodes, simulates a network in which exploitable vulnerabilities are 
present on some nodes but not others. As a first approximation for a real-world network, 
we assume that vulnerable nodes are randomly distributed throughout the network. 
Others have considered adversarial models in which the adversary cannot compromise 
nodes [HI [TS], or can deterministically compromise a small number of nodes [12] . 

2.2. The Network 

For the stranger authentication problem, let us represent the network as a graph G, 
with V{G) being the set of vertices (nodes participating in the network) and E{G) 
being the set of edges (secure authenticated channels, e.g. QKD links between parties 
who share secret keys for authentication). We denote N = |V(G)| as the number of 
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vertices (nodes). The set of compromised nodes Vd is assumed to be controlled by the 
adversary: \Vd\ < N (1 — t) . 

In Section [3j we describe a protocol that allows an arbitrary uncompromised 
Alice and Bob (A, B £ V(G)\Vd) who do not initially share a direct link (i.e., 
(A, B) (ji E(G)) to communicate with information-theoretic security with very high 
probability. Specifically, we show that Alice and Bob can generate a shared secret 
key via secret sharing with shares transmitted via multiple paths through the graph. 
Moreover Eve's probability of learning the secret shared key is smaller than 5, which 
Alice and Bob can make arbitrarily small. Once Alice and Bob share a secret key, they 
use it to authenticate a QKD link with each other. In other words, we assume that 
Alice and Bob can easily acquire an unauthenticated QKD link then use their shared 
secret key to authenticate that link. 

With reference to the adversary's third capability, we can consider an alternate 
scenario in which the adversary is instead able to choose a subset of nodes to compromise. 
If the adversary can control at most n nodes, then n + 1 node-disjoint paths between 
Alice and Bob are required to guarantee security [12J. 

2.3. Other approaches 

We could model existing public key-based networks using a similar convention, where 
edges represent authenticated (but not necessarily secure) channels used for initial 
distribution of public keys. Such graphs typically have a tree topology, in which most 
parties are connected only to a single root certificate authority (CA), or small number of 
root certificate authorities. Before participating in a public key network, users typically 
obtain a copy of a certificate (which contains the CA's public key) from a few certificate 
authorities. This certificate is then used to verify the authenticity of digitally-signed 
public keys presented by other parties, thereby thwarting MITM attacks. 

The process of obtaining the CA's certificate is often hidden from the user 
because the certificate is usually bundled with their web browser or operating system. 
Nonetheless, obtaining an authentic root CA certificate is a crucial part of the user's 
security process, as a compromised CA certificate would allow an attacker to subvert 
all future communication performed by that user. 

We are now able to make a few observations about the existing public key 
infrastructure. First of all, it relies critically on the honesty and reliability of a small 
number of root CAs. While the root CAs have so far proved to be honest, they do 
occasionally make mistakes. Second, public key networks of iV parties require only 
O(N) authenticated channels to perform the initial distribution of root CA certificates. 
Third, the compromise of a single authenticated channel can result in compromise of 
all future communication involving a particular single user, but the rest of the parties 
are largely protected. Finally, as is mentioned earlier, public key-based systems are 
vulnerable to our "sneaky supercomputer" adversary (e.g., an attacker with a quantum 
computer) and the consequences of a successful attack against any of the root CAs 
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would be severe. 

To solve the stranger authentication problem, a naive approach is represented by a 
complete graph wherein every vertex is connected to every other vertex. This approach 
has the drawback that each party would have to have a unique secret key shared with 
each other party, implying 0(N 2 ) secret keys in total. Alternatively, we could seek to 
duplicate the tree topology of public key networks and have a few central trusted parties 
to which all others are connected [16J. This has most of the drawbacks listed above for 
public key networks, as well as the additional requirement that the central trusted 
parties be actively involved in every communication (rather than one-time signing of 
public keys). Clearly, both of these naive approaches suffer from serious limitations 
that make them impractical for large-scale networks. In the subsequent section, we 
present efficient protocols for solving these problems. 



3. The Stranger Authentication Protocol 

In this section, we describe the stranger authentication protocol in the context of a 
uniform random graph. We analyze its security and efficiency in the context of this 



network topology, and in Section 3.3, we introduce the power-law topology, which we 
study via numerical simulations. 

Consider a uniform random graph G with N vertices, in which the edges 
are random, in the sense that each possible edge e G V 2 {G) = V(G) x V{G) is equally 
likely to be a member of the set of edges, E(G). Furthermore, we assume that the 
set of compromised nodes Vd is a randomly-chosen subset of the total set of vertices, 
V(G). Take some arbitrary uncompromised Alice and Bob in G: if Alice and Bob are 
acquaintances and share a secret key (i.e., (A, B) G E(G)), then they can communicate 
securely using QKD to generate a large key for use as a OTP, using their shared secret 
key to authenticate their QKD exchange. We are concerned with the case in which Alice 
and Bob are mutual strangers (i.e., (A, B) E{G)). 

In order for Alice to communicate securely with Bob, she first needs to establish a 
small shared secret key with him to prevent MITM attacks. To obtain a shared secret 
key, Alice and Bob use the following procedure: 

(i) Alice generates a random string of length /: s G {0, 1} 1 . I is chosen as described in 
Fig-0 

(ii) Alice selects all cycle-free paths between her and Bob (we assume Alice and Bob 
have a complete and accurate routing table for the graph). Define n to be the 
number of such paths. 

(iii) Alice employs a secret sharing scheme [H |9] to encode s into n shares, such that 
all n shares are required to reconstruct s. 

(iv) Alice sends Bob one share via each cycle-free path. 

(v) Bob receives the shares and combines them to obtain s' . 
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Figure 1. Alice and Bob verify that their respective secret keys, s — (si,S2>S3) 
and s' = (s' 1; s 2 , s 3 ), are in fact the same through the exchange shown above. Alice 
generates a random number r, concatenates it with the hash H(s3) of S3, XORs this 
with si and sends the result to Bob. Bob decodes with s[, verifies that H(sz) — H(s' 3 ), 
then sends back to Alice the result of bit-wise XORing the hash of r, H(r), with s 2 . 
Finally, Alice decodes with s 2 and checks to see that the value Bob has computed for 
H(r) is correct. Alice and Bob now know S3 = s 3 and can store S3 for future use. The 
lengths of si and s 2 scale as 0(— log<5), where S is the maximum allowable probability 
that an attacker who does not know s can modify s' and escape detection. The length 
of S3 is therefore only slightly less than I (the length of s). Alice and Bob thus choose 
I so that the length of S3 will be sufficient for their purposes. Note that with this 
protocol, Eve can fool Alice and Bob into accepting s ^ s' with 100 % probability if 
Eve knows s and s'. 



(vi) Alice and Bob use the protocol described in Fig. [T]to determine if s — s'. If so, 
they are left with a portion of s (identified as S3), which is their shared secret key. 
If s ^ s', Alice and Bob discard s and s' and repeat the protocol. 

The protocol as described above is not efficient, in that the number n of cycle-free 
paths grows rapidly as the size of the graph increases. The protocol can be made efficient 
without much loss in security, as we show later. 

There are some similarities between our protocol and that described by Dolev et 
al. [T7] for networks of processors with some faulty processors, in that both protocols 
use secret sharing as a means of protecting against nodes that deviate from the protocol. 
The protocols differ substantially with respect to the adversarial models they address. 
Dolev et al.'s protocol handles cases wherein the adversary controls a small number of 
nodes of his or her choice. In contrast our protocol is designed for a network in which 
the adversary controls a large fraction of all the nodes but cannot choose which nodes 
are compromised. 

3.1. Security 

Provided there exists at least one path between Alice and Bob with no faulty or 
uncompromised nodes, Alice and Bob are authenticated and acquire a shared secret 
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key. MITM attacks are prevented because each node in the path authenticates the 
nodes before and after, thereby providing a chain of authentication. 

In order for an attacker (Eve) to compromise the protocol, the attacker must learn s. 
As s is encoded into multiple shares, and all shares are required to reconstruct s, the 
attacker must learn all the shares in order to learn s. Shares are secured in transmission 
by OTP using keys generated by authenticated QKD, so the only way for Eve to learn 
a share is if she controls a node that is part of the transmission path between Alice and 
Bob for that share. Put another way, the protocol is secure unless all share transmission 
paths between Alice and Bob contain at least one compromised node. 

This question can be rephrased in graph-theoretic terms by asking how large 
E(G) must be such that the subgraph G C G induced by V{G)\Vd is connected. 
As an example, Fig. [2] shows a random graph that remains connected even after two 
compromised parties are removed. 

Recall that 

\V{G)\ 

is the fraction of uncompromised nodes. Thus, [tN\ nodes and approximately t 2 \E(G)\ 
edges will remain after the compromised nodes are removed. Using a result obtained 
by Erdos and Renyi [TH] for connectedness of uniform random graphs, we see that, for 
a random graph of \tN\ vertices and [t 2 \E(G)\\ edges in the limit as tN — > oo, the 
probability that the graph is connected is 

Pc = e- e " 2c (1) 

with 

c=^^--logiiV. (2) 

Suppose we wish to estimate the number of edges, \E(G)\, required to limit the 
probability of compromise to some e = 1 — p c . Using the above result for 

1 ><5>tiVexp [-t(N-l)], 

we obtain the following relation: 

\E(G)\ ^ ~ log (-). (3) 



2 t ° V e J 

This estimate does not apply in the case where N is finite and e = 0, where it is 
clear the number of edges goes to 0(N 2 ) rather than infinity. It is worth noting that 
Eq. ([3]) gives the approximate number of edges required such that, with probability 1 — e, 
all A, B, in V(G)\Vd can communicate securely. This is a stronger result than if we 
had shown secure communication just for one particular choice of A and B. 

3.2. Efficiency and Cost 

According to the protocol described above, the number of shares n required to perform 
the protocol between two arbitrary parties (Alice and Bob) will grow with the total 
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number of cycle-free paths between them and thus much faster than the total number of 
parties. This is not likely to be a serious problem for small-to-medium networks as the 
strings being sent need not be large (they are necessary only for the initial authentication 
of a QKD protocol) and need only be sent the first time a given pair of parties wish to 
communicate. Nonetheless, it will eventually become a problem as the network grows 
larger so we seek to reduce this cost by having Alice and Bob use only a subset of the 
possible paths. Fortunately, relatively few paths are required to guarantee a high degree 
of security, and the number of paths required scales slowly with the size of the graph. 

We can estimate the number of paths required to keep the probability of compromise 
5 constant. (Note that the following calculation is intended as an estimate rather than a 
rigorous derivation.) The probability of a single path of length £ being uncompromised 
is approximately t . Suppose we have a graph G with the number of edges |-E(G)| 
chosen according to Eq. (J3j) , where e < 5. 

The diameter (maximal distance between any pair of nodes) of such a graph [19] is 

d~^ U) 

~ log (k) {A) 

with 

(k) = 2\E(G)\/N (5) 

the average degree of a node in G. Expression Q can be understood by considering the 
number of nodes at distance d from some starting node; since each node has on average 
(k) neighbours, we expect to find (k) d nodes at this distance. 

If we wish to find the p shortest (not necessarily independent) paths from Alice to 
Bob, we can estimate the length of the longest of these paths as 

_ log(iVp) 
P log (k) ■ 

We can now estimate the number p of independent paths required to give a probability 
5 that all paths are compromised: 

= log 5 ffi x 

P logOL-t^- 1 )' 1 ' 

Note that the right-hand side of Eq. ^ contains £ p , which depends on p; an iterative 
process can easily be used to find a solution for p. 

We have estimated the number of independent paths ^ required to guarantee a 
certain degree of security; however, it will in general be more practical to choose paths 
that are not completely independent of each other. This will result in some reduction 
of security, which can be compensated for by using additional paths. Another issue is 
that path choice must not be determined solely by a dishonest party; if path choice is 
left solely to Alice, and a malicious Eve wants to impersonate Alice, Eve can choose 
paths such that every path contains a compromised node. One solution is for Bob to 
initiate a second round of the protocol (using different paths) to confirm that he is 
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indeed communicating with Alice; the shared secret keys generated in the two rounds 
are then combined to produce a final key. 

We use Monte Carlo simulations to test whether our estimate of path requirements 
is reasonable and to compare the performance of uniform random graphs with that of 
power-law graphs. The path-picking algorithm used in this simulation is based upon 
Dijkstra's algorithm [20] for solving the shortest path problem. Initially, all nodes are 
given the same cost. The path of least cost ("shortest" path) between Alice and Bob is 
chosen, and the cost of all intermediate nodes along the path are incremented. A new 
path of least cost is found, and the process is repeated until the desired number of paths 
are chosen. Duplicate paths are not allowed. 

In a real-world application, a higher number of paths used would likely be chosen so 
as to provide a much lower risk of compromise (smaller 5); parameter values used in this 
simulation are for illustrative purposes. We make no claims as to the optimality of the 
path-picking algorithm used, but note that it gives a nearly constant degree of security 
(i.e., 5 is nearly constant) with resource use consistent with the modest scaling with N 
predicted by our estimates. Simulation details and results are given in the following two 
subsections. 

One resource we have not yet explicitly discussed is bandwidth used during 
execution of the protocol. If we assume that the average number of times a given 
user initiates the protocol (i.e., acts as Alice) is fixed, it is clear that this will scale 
with the number of users involved in one instance of the protocol, which is given by the 
product of the path length with the number of paths. Using the numbers from Fig. [3] 
and Table [T] as an example, we see that, if N = 32768 and t = 0.4, a typical user would 
have to act as an intermediate node about 300 times for every time he or she acted as a 
protocol initiator. As only short keys (~ 1 kb) are required for authentication, and the 
protocol need only be used the first time two mutual strangers wish to communicate, 
this does not represent an unreasonable burden on users. 

Another cost borne by users is the necessity of establishing ~ (k) edges (shared 
secret keys) with other parties in order to join the network and be able to participate 
securely. For security reasons, the key exchanges required would have to take place 
offline via some secure means. Fortunately, the number of "edges" required is small, 
scaling as O (log AT), so we believe this one-time cost will not be too onerous. New users 
could be advised of a minimum connectivity requirement and required to perform a 
certain number of secure offline key exchanges before being allowed to use the network. 

3.3. Network Topologies 

We have so far only considered a uniform random topology when discussing the 
application of the protocol to a network. However, in real-world networks, power-law 
graphs are common [19]. Here we consider security in these ubiquitous, naturally- 
occurring network topologies. 

Power-law graphs are those for which the number of nodes of degree k is 
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Figure 2. White vertices represent honest parties, whereas shaded vertices represent 
dishonest parties. Dashed edges are those that end on a dishonest party. The subgraph 
induced by the removal of the shaded vertices remains connected, so any two honest 
parties can communicate securely using the protocol described in Sec. [3] 



(a) 



(b) 




32768 



N 



32768 



Figure 3. Parameters used in generating graphs for all simulations, both for the 
uniform random and truncated power-law cases. The yellow solid line, red long-dashed 
line, and blue short-dashed line represent values for t — 0.4, t — 0.6, and t — 0.8, 
respectively, (a) shows the average number of edges per node, (fc)/2, as a function 
of 7Y, the total number of nodes, and (b) indicates the number of paths p used as a 
function of the number of nodes, N. 




Figure 4. A comparison of the degree distribution (number of nodes n& with k edges) 
of the two graph types being considered with two sample graphs for which N — 16384, 
t = 0.8, and |J5(G)| = 167821. The red dashed line shows the uniform random case 
while the solid blue line is the truncated power-law case. 
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proportional to k~ J , where 7 is a positive constant. When compared to a uniform 
random graph with the same number of nodes and edges, power-law graphs have been 
shown to be more robust against random removal of nodes [H]; specifically, the size of 
the largest connected cluster decreases more slowly and the average path length in this 
cluster remains smaller (conversely, power-law graphs are more vulnerable than uniform 
random graphs to targeted node removal). As Alice and Bob must still be connected 
within the subgraph induced by V(G)\Vd in order to communicate securely using our 
protocol, this feature of power-law graphs suggests they are more secure against our 
adversary. 

We modify the power-law structure slightly by imposing a minimum degree cut-off, 
/c m i n ; in practice, such a cut-off could be enforced by requiring all nodes to have at 
least k min connections before allowing them to participate in the network. The cut-off 
is necessary because nodes with low degree are prone to protocol failure by compromise 
of all immediate neighbours (and, in a power-law graph, nodes of the lowest allowed 
degree are the most common); such failures are suppressed in a truncated power- law 
graph. 

For example, given a node with degree k, the probability that all its neighbours are 
compromised (nc = neighbours compromised) is 

P nc (k) = (l-t) k . (7) 

Let us consider this particular protocol failure mode, in which all of Alice's immediate 
neighbours are compromised. We denote the probability of such failure by S nc . We then 
see that 

<5nc = -Pnc(^Alice) — -fnc(^min) = (1 — t) mm , (8) 

where Alice is Alice's degree and k m i n is the minimum degree of any node in the network. 
It should be noted that S nc represents only a portion of the total probability that the 
protocol will fail, 6; by necessity, 5 > 5 nc . In the following section, we use Eq. (j8l) 
to estimate the minimum degree cut-off k min that should be imposed to constrain the 
probability of such failures to less than some allowed maximum 5 nc . 

4. Simulation results 

We now discuss the parameters and results of a simulation of the stranger authentication 
protocol. For each set of parameters, 1000 trials were run, with a new graph and new 
random choice of (non-compromised and non-adjacent) Alice and Bob for each trial. 

The number of paths was chosen according to Eq. ^ and the number of edges 
according to Eq. ([3]), with 5 = 0.01 used as the target probability of compromise. The 
variation of these parameters with changes in t and N is shown in Fig. |3j This procedure 
was followed for both uniform random and truncated power-law graphs, with the only 
difference being the type of graph; this allows us to perform a fair comparison of protocol 
performance on the two network topologies. 
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To generate uniform random graphs, pairs of nodes were randomly joined (with 
no duplicate edges allowed) until our quota of edges was met. To generate truncated 
power-law graphs, suitable minimum degrees were chosen according to Eq. ^ with 
5 nc = 0.002. The resulting values of k m \ n were 4, 7 and 12 for t values of 0.8, 0.6 and 0.4, 
respectively. We chose the largest possible 7 such that the resulting number of edges in 
the graph, given by 

k=N-i T\jnh.i-"i 

£ 0) 

h—h ■ 



was equal to or smaller than the goal number from Eq. (|3j). Degrees were assigned to 
each node such that the degree distribution of the graph was as close to A; -7 as possible. 
Nodes were then randomly joined until all nodes satisfied their assigned degree as closely 
as possible (note that nodes were not allowed to exceed their assigned degree, which 
occasionally prevented a small number of nodes from reaching their assigned degree). 
The result was a truncated power-law graph with as many or slightly fewer edges than 
the corresponding uniform random graph for each set of parameters. We illustrate 
the difference between the degree distribution of the truncated power-law and uniform 
random topologies, generated according to the methods described above, in Fig. |4| 

Our simulation results are given in Tableland Fig.[5j Table[T]shows the logarithmic 
scaling of path length in iV suggested by Eq. Q. This indicates that the cost of 
participating in the network, as outlined in Subsection 3.2, scales reasonably (i.e., sub- 
exponentially). We see from Fig. [5] that the probability of compromise is approximately 
constant in the uniformly random case; our numerical simulations match our predicted 
results in this regard. Probability of compromise does slowly increase with decreasing t 
for both topologies. This behaviour is inevitable, as S necessarily goes to 1 as t goes to 
0. We further see that truncated power-law graphs consistently offered greater security 
than uniform random networks for the adversarial model described in Section 12.11 This 
also confirms our expectations; truncated power-law graphs were shown to be more 
robust against random removal of nodes. In the alternate adversarial model in which 
the adversary is allowed to choose the compromised nodes, we expect power-law graphs 
to be somewhat less robust, due to the relative importance of a small number of highly 
connected nodes. 



5. Conclusion 



We have shown a practical method for solving the stranger authentication problem, 
which arises when one attempts to build a large-scale secure communication network 
using QKD or cryptographic technology with similar properties. This method employs 
secret sharing to make use of multiple, partially-trusted paths through a network. 
Whereas the reliance on the collective integrity of many parties may at first seem 
surprising, it is preferable to current public key cryptographic strategies of using a 
root certificate authority who must always be trusted: our scheme avoids this single 
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point of failure by not requiring any party, not even an authority, to be completely 
trusted. Through the choice of sufficiently many edges (secure authenticated channels) 
and paths, one can make the possibility of compromise vanishingly small. 

Using both numerical simulations and random graph theory, we have shown that 
our protocol — in conjunction with QKD — provides security at reasonable resource costs. 
Protocol performance is shown via numerical simulations to be better in truncated 
power-law networks than in uniform random networks; since real communication and 
social networks tend to have a power-law structure, this bodes well for performance 
in the real world. Given that QKD systems are already commercially available, our 
methods could be implemented today. 
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Table 1. The length of the 99 -percentile longest path. 




Figure 5. The fraction (5) of times all paths between Alice and Bob were 
compromised, as a function of the number of nodes in the graph, for simulations using 
(a) uniform random graphs and (b) truncated power-law graphs. The yellow solid line, 
red long-dashed line, and blue short-dashed line represent values for t = 0.4, t = 0.6, 
and t = 0.8, respectively. 



